<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Separating node-to-node and client traffic | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'separating-node-client-traffic.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/separating-node-client-traffic.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/separating-node-client-traffic.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/separating-node-client-traffic.html" rel="nofollow" target="_blank">../en/separating-node-client-traffic.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="configuring-security.html">Configuring security in Elasticsearch</a></span>
»
<span class="breadcrumb-node">Separating node-to-node and client traffic</span>
</div>
<div class="navheader">
<span class="prev">
<a href="configuring-security.html">« Configuring security in Elasticsearch</a>
</span>
<span class="next">
<a href="security-files.html">Security files »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="separating-node-client-traffic"></a>Separating node-to-node and client traffic<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/separating-node-client-traffic.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<div class="warning admon">
<div class="icon"></div>
<div class="admon_content">
<h3>Deprecated in 7.3.0.</h3>
<p>Transport Client is deprecated and will be removed</p>
</div>
</div>
<p>Elasticsearch has the feature of so called
<a href="modules-transport.html" class="ulink" target="_top">TCP transport profiles</a>
that allows it to bind to several ports and addresses. The Elasticsearch
security features extend on this functionality to enhance the security of the
cluster by enabling the separation of node-to-node transport traffic from client
transport traffic. This is important if the client transport traffic is not
trusted and could potentially be malicious. To separate the node-to-node traffic
from the client traffic, add the following to <code class="literal">elasticsearch.yml</code>:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">transport.profiles.client: <a id="CO464-1"></a><i class="conum" data-value="1"></i>
  port: 9500-9600 <a id="CO464-2"></a><i class="conum" data-value="2"></i>
  xpack.security:
    type: client <a id="CO464-3"></a><i class="conum" data-value="3"></i></pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO464-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p><code class="literal">client</code> is the name of this example profile</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO464-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>The port range that will be used by transport clients to communicate with
this cluster</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO464-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>Categorizes the profile as a <code class="literal">client</code>. This accounts for additional security
filters by denying request attempts on for internal cluster operations
(e.g shard level actions and ping requests) from this profile.</p>
</td>
</tr>
</table>
</div>
<p>If supported by your environment, an internal network can be used for node-to-node
traffic and public network can be used for client traffic by adding the following
to <code class="literal">elasticsearch.yml</code>:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">transport.profiles.default.bind_host: 10.0.0.1 <a id="CO465-1"></a><i class="conum" data-value="1"></i>
transport.profiles.client.bind_host: 1.1.1.1 <a id="CO465-2"></a><i class="conum" data-value="2"></i></pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO465-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>The bind address for the network that will be used for node-to-node communication</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO465-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>The bind address for the network used for client communication</p>
</td>
</tr>
</table>
</div>
<p>If separate networks are not available, then
<a href="ip-filtering.html" class="ulink" target="_top">IP Filtering</a> can
be enabled to limit access to the profiles.</p>
<p>When using SSL for transport, a different set of certificates can also be used
for the client traffic by adding the following to <code class="literal">elasticsearch.yml</code>:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">transport.profiles.client.xpack.security.ssl.truststore:
  path: /path/to/another/truststore
  password: x-pack-test-password

transport.profiles.client.xpack.security.ssl.keystore:
  path: /path/to/another/keystore
  password: x-pack-test-password</pre>
</div>
<p>To change the default behavior that requires certificates for transport clients,
set the following value in the <code class="literal">elasticsearch.yml</code> file:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">transport.profiles.client.xpack.security.ssl.client_authentication: none</pre>
</div>
<p>This setting keeps certificate authentication active for node-to-node traffic,
but removes the requirement to distribute a signed certificate to transport
clients. For more information, see
<a href="java-clients.html#transport-client" class="ulink" target="_top">Configuring the Transport Client to work with a Secured Cluster</a>.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="configuring-security.html">« Configuring security in Elasticsearch</a>
</span>
<span class="next">
<a href="security-files.html">Security files »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>